Jump to: navigation, search

Template:Whonix.org security

The website whonix.org takes an individual's privacy seriously and collects as little information as possible. IP logs are disabled and apache mod-removeip is being used. [1] If events such as spamming or abuse become widespread, then it may be necessary to re-enable IP logging.

In any case, it is recommended to visit this website using either Tor Browser in Whonix or the Tor Browser Bundle. Although this server is rented from a reputable server provider, their logging policy cannot be audited.

A written privacy policy is not worth much anyway, since it is only privacy on paper. That is why anonymity preserving tools such as Whonix and Tor Browser have been created in the first place; to enforce privacy by design.

Valid SSL Certificate Yes
HTTPS Everywhere [2] Inclusion Yes [3]
OpenPGP-signed Fingerprint of whonix.org's SSL Certificate Yes [4]
Passed Qualys SSL LABS [5] SSL Server Test [6]: Yes, A rating. [7]
HSTS [8] Yes [9]
HSTS Preloading List [10] [11] [12] [13] [14] Yes [15] [16] [17]
Certificate Authority (CA) Pinning No [18]
HTTP Public Key Pinning[19] No [20]
Flagged Revisions [21] Yes, admins must verify changes before they become the default version.
Secondary .onion Domain [22] Yes [23] [24]
Content Security Policy (CSP) No [25] [26] [27]

If users have any further suggestions, please edit this entry or discuss possible changes in the Whonix forums.


  1. https://we.riseup.net/debian/apache#mod_removeip
  2. https://www.eff.org/https-everywhere
  3. https://trac.torproject.org/projects/tor/ticket/9143
  4. Cite error: Invalid <ref> tag; no text was provided for refs named fingerprint
  5. https://www.ssllabs.com/
  6. https://www.ssllabs.com/ssltest/index.html
  7. https://www.ssllabs.com/ssltest/analyze.html?d=whonix.org
  8. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
  9. curl -i https://whonix.org
  10. http://blog.chromium.org/2011/06/new-chromium-security-features-june.html
  11. http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
  12. http://www.chromium.org/sts
  13. https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
  14. https://bugzilla.mozilla.org/show_bug.cgi?id=861960
  15. Requested. Will propagate to Chrome, Firefox and Tor Browser.
  16. https://github.com/Whonix/Whonix/issues/34
  17. http://src.chromium.org/viewvc/chrome?revision=209444&view=revision
  18. https://phabricator.whonix.org/T66
  19. https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
  20. https://phabricator.whonix.org/T84
  21. https://www.mediawiki.org/wiki/Extension:FlaggedRevs/
  22. Optional Tor onion service (.onion domain); alternative end-to-end encrypted/authenticated connection; in this use case, not for location privacy; backup in case DNS is not functional
  23. http://kkkkkkkkkk63ava6.onion.
  24. See also Forcing .onion on Whonix.org.
  25. D Rating. https://securityheaders.io/?followRedirects=on&hide=on&q=whonix.org Content Security Policy is not enacted, X-Content-Type-Options are vulnerable to MIME-sniffing, and Referrer Policy is not set.
  26. https://phabricator.whonix.org/T70
  27. https://forums.whonix.org/t/whonix-website-security-rating-b-mozilla-observatory

Random News:

Don't mind having your name connected to Whonix? Follow us on Twitter / Facebook / g+.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)